[Oisf-devel] Need Help To Customize Packet Source of Suricata

Maloy Kundu maloy.kundu at gmail.com
Wed Mar 11 11:56:33 UTC 2020


Hi Jason,

The pointer is really helpful to start with the implementation

Thank you.

Regards
Maloy Kundu

On Tue, Mar 10, 2020 at 12:23 AM Jason Ish <jason.ish at oisf.net> wrote:

> Hello,
>
> On 2020-03-09 12:40 a.m., Maloy Kundu wrote:
> > Hello,
> >
> > I have one question about changing the packet source of Suricata.
> >
> > Suricata  receives packets from network interface by default. I need to
> > have understanding or knowledge about how to modify the packet source of
> > Suricata. Instead of probe interface, Suricata will receive packet from
> > another process using shared memory. A process that receives packets
> > from network probe interface will write packet in shard memory and from
> > that shared memory Suricata will pick those packets for processing.
> >
> > Can you please share knowledge or some pointers on this?
>
>
> I'd first start by looking at our somewhat dated documentation we have
> for this:
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Acquisition_API
>
> while following along with an existing source such as source-pcap.c, and
> perhaps another like source-erf-dag.c (while for DAG interfaces, its
> essentially retrieving the packet from shared memory, just behind the
> DAG libraries though). Basically your source gets the data from
> wherever, and has to transform it into what is expected of Suricata.
>
> Updates to the developer documentation are planned, but there should be
> enough there to get a rough start.
>
> Hope that helps,
> Jason
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>

--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20200311/150dedfa/attachment.html>


More information about the Oisf-devel mailing list